Posted
by
timothy
on Thursday February 11, 2010 @05:52PM
from the pounding-marks-for-euros dept.

Jack Spine writes "With nearly a billion users dependent on smart banking credit and debit cards, banks have refused liability for losses where an idenification number has been provided. But now, the process behind the majority of European credit and debit card transactions is fundamentally broken, according to researchers from Cambridge University. The researchers have demonstrated a man-in-the-middle attack which fooled a card reader into accepting a number of point-of-sale transactions, even though the cards were not properly authenticated. The researchers used off-the-shelf components (PDF), and a laptop running a Python script, to undermine the two-factor authentication process on European credit and debit cards, which is called Chip and PIN."

Seems like the problem with this system is that the problem is that the PIN is stored on the chip... and that's just as stupid as writing it on the card! The attacks are simple... either a card that always agrees the PIN given is correct, or a terminal that tries to authenticate all 10000 PINS and then learns the right one.

Payment processors have for years been wanting to have an offline secure system, but it just doesn't work. With cheap enough data systems available everywhere, it's not hard for every Wal-Mart most rural gas stations to see a satellite. Get a $20/mo. dial-up account if you have to... there's no reason for anything that does money to be off the grid.

If the PIN is stored online like traditional ATM cards, then there would be a quick way to be sure there's honest checking of the pin and alarms if somebody fails too many times. The American "contact" systems are actually reasons to not require a signature or a PIN... but those are also designed for small-dollar transactions and keeping the fast food line moving. Sure, they're open to cloning risk, but they're willing to take that downside because there's enough upside to using the system.

The reply about public key encryption is right. But to expand on it, I've seen this called the "digital cash problem" and it is also the same thing as the offline verified voting problem. There's a whole series of problems that boil down to offline verification of something unique. It can be done, but it requires a public key infrastructure and good use of encryption. It's not trivial to do, but it could be done. It's just that... no commercial company so far has had any desire to do it.

Umm. I wouldn't call paper ballots alone a "solution" to the issue of voting security.

There are means for generating cryptographically secured paper ballots -- see PunchScan, for instance, which allows you to take a (paper) receipt with you which you can use to prove that your vote was correctly recorded, but which can't be used to prove how you voted to others.

I think there's no question that a paper voting system which incorporates those features is better than one that does not, so claiming that using pa

RTFA. The problem isn't that the PIN is "stored on the card", it's that the card doesn't send any unique data to the terminal when the correct PIN is entered, it just sends a "Correct PIN was entered" message instead.

So, you stick something between the card and the terminal (the laptop) that intercepts the "Wrong PIN was entered" message from the card and forwards a "Correct PIN was entered" message to the terminal instead.

TBH I'm rather surprised that any information is allowed to be pulled off the chip without the PIN authenticating the user first; if you had to provide the correct PIN before the card would provide any information it would make it much harder to carry out the fraudulent transaction.

No. The problem is that the terminal isn't validating the PIN against anything it can trust... it's sending the entered PIN to the card and trusting the result returned, which can easily be spoofed. If the PIN was server-side, it could trust a results-only message... but that's not what's happening here.

MitM would just learn this and deny once and then accept whatever is sent the second time.

I call the scheme you're promoting as "hut-hut-HIKE" security. Jump offsides on a false call and you're in trouble. If there's a random number of fakes before the real one comes through, then you've got something.

To actually be secure, the card and the terminal would need to generate a shared secret in a way immune to a MitM attack, which can only reasonably be done with a certificate and a certificate authority (or other public key infrastructure), just as is done with HTTPS. Even then the terminal would need to be occasionally online to get cert updates, so it's not a perfect solution (plus there are still cert and CA based attacks possible).

I'm fairly certain that's at least a risky thing to do. Assuming the chips in the UK behave pretty much the same as those in the Netherlands, the chip will lock up and refuse to authorize anything after 3 failed attempts in a row. Up to the point where you have to go to your bank and request a new card, it won't (and hopefully can't) be reset.
Now imagine mistakenly using the PIN from your other card in a terminal which decides to pre-test with 2 random PINs.

Regardless, even though this attack is not technically extremely complex, it isn't that easy to pull it of in practice. You need to steel a card, and use a fake cards with wires dangling from it in a shop. You also need to buy something which isn't registered to your name in any way, which is easy to convert to cash, valuable enough to make it worth the risk and effort and preferably sold somewhere without CCTV.
It sure isn't impossible, but it's probably easier to earn your illegal cash some other way.

The problem is that the MitM can spoof the "correct PIN was entered" response, and this isn't a part of the transaction MAC (basically an encrypted summary of what happened). If the card used the PIN verification result in the MAC the card issuer could detect this attack trivially. Unfortunately, this is an implementation detail which each bank would have to manage separately. New cards need to be rolled out.

But how does that stand up to a man in the middle attack? Terminal starts session with MitM and MitM starts session with Card. MitM is simultaneously encrypting/decrypting the data to send it between the terminal and card and seeing everything all the time. Unless you have a pre-shared key, which is defeat-able in the case, what you describe is still subject to a MitM attack.

Replying to myself, if you read the PDF it details the process on page 3; the card actually does almost all of the transaction work before the PIN is entered, all the PIN enables is the "Is this transaction allowed? Yes, it's allowed. OK" part of the process.

Yep... and the "attack" is that anybody, the chip or anybody else can send the in-the-clear "OK" message and the terminal goes through with the transaction. Essentially, the PIN check is a "feel good" level of security that doesn't protect against much.

It seems this system was designed expressly to limit bank's liability by providing the illusion of security. "Oh, fraudulent charges, are they? But you entered your PIN... Can you prove your PIN was compromised? no? Tough then, pay up."

How many of us here on Slashdot save up for a while then periodically buy some pricey electronics gear either offline or from an online store? What do fraudulent purchases look like? Oh hey, it fits your spending pattern!

It's either/or. You can authenticate with the chip and your signature, then the merchant eats the damage if the signature turns out to be fake. Or you can authenticate with the chip and your PIN, then the usual assumption is that the customer didn't keep the PIN a secret. The attack works by pretending to the terminal that the card performs PIN authentication. The card, and by extension the bank, are made to believe that the customer wants to use signature authentication.

RTFA. The problem isn't that the PIN is "stored on the card", it's that the card doesn't send any unique data to the terminal when the correct PIN is entered, it just sends a "Correct PIN was entered" message instead.

So, you stick something between the card and the terminal (the laptop) that intercepts the "Wrong PIN was entered" message from the card and forwards a "Correct PIN was entered" message to the terminal instead..............

Please mod this up this is the point the article is trying to make.

All that needs to happen is the message Pin Verified or a similar message is sent to the EFTPOS terminal and the transaction goes through.

How about storing the PIN similar to how TrueCrypt validates a hash? One value is a random salt, which is decrypted by the PIN the user types in, and that is compared to the second value. Add in a number of rounds to help deter brute forcing.

However, what really is needed is for the smart card to either delay access with an exponentially increasing time, or after 3-5 bad guesses, the card blocks access to the PIN, until released by the provider, similar to how GSM SIM cards work.

The PIN storage or retry delay is not the issue. Cards ALREADY block access to the PIN after several failed attempts. The problem is that the bank is not able to detect that the card was never presented the PIN in the first place. The terminal thinks the PIN was verified, but it never gets passed on to the card.

No, the whole protocol is designed such that the important information is exchanged in authenticated packets between the chip on the card and the issuer's servers, with the terminal acting as a dumb relay. The terminal could not perform any transactions without a genuine card if there had not been the 2010 mishap: That caused the mag-stripe authentication to be reactivated. Once that problem is solved and the non-chip authentication methods are finally disabled, a transaction will require a genuine card, no

Given that it's trivial for people to shoulder-surf your PIN anyway (especially for people with "inside" access like security camera operators), the system is fundamentally broken.

The more interesting question is how hard it is to duplicate a Chip and PIN card; without this, criminals would need to physically steal the card (which of course can and does also happen, often without the victim realising for a few hours). At the moment, (at least from my understanding), the most common form of fraud involves th

In Canada, the MasterCard version is called PayPass [bmo.com] and I do have one of these PayPass-enabled cards and haven't had any problems with PayPass specifically (although my MasterCard was compromised just before Christmas but the bank reversed all the fraudulent transactions)

No, the payment processor is made to believe that PIN authentication isn't used. The false PIN-OK message is between the MITM and the terminal. The PIN entered is not actually compared to the PIN on the card. The MITM handles the card according to the "chip and signature" protocol and the terminal according to the "chip and PIN" protocol.

FTA: "The central problem with the EMV protocol is that it allows the card and the terminal to generate ambiguous data about the verification process, which the bank will accept as valid... while a PIN must be entered, any PIN code would be accepted by the terminal."

That's a serious flaw. You've got to insist on data being valid if you are going to record it as valid.

It's a good thing that we don't rely on ambiguous data in any other part of life.

You know, they say a lot of things about Python, but at least it doesn't name two of the most basic and important language operations after the contents of address register and contents of decrement register like some (otherwise-spiffy (if you overlook the (numerous) parentheses)) languages out there.

Chip & Pin has never been about minimising fraud - it's about pushing the responsibility from the banks onto the customers. And they're doing the same thing with the ridiculous Verified By Visa programme which just trains people to fall for phishing scams.

Like I said elsewhere, this is from the branch of security known as "false sense of". If you're constantly troubled for a PIN it means you'll feel safer... but when that PIN isn't needed by the fraudster we're back to the same point we were with "dumb" cards.

One goal of EMV was to externalise the costs of dispute from the issuing bank, in that if a disputed transaction has been authorised by a manuscript signature, it would be charged to the merchant, while if it had been authorised by a PIN then it would be charged to the customer. The net effect is that the banking industry, which was responsible for the design of the system, carries less liability for the fraud. The industry describes this as a 'liability shift'.

Security economics teaches us that such arrangements create "moral hazard," by insulating banks from the risk of their poor system design, so it is no surprise when such plans go awry.

The main security fraud taking place here is duping the customers (and the courts) into thinking there's any security associated with the PIN protocol in the first place.

Let's make this clear to the court, in terms they might be able to comprehend.

Let's say you have a band of tax evading Massachusetts patriots concerned with the migratory cycle of lobsterbacks. They approach a fellow named Paul and tell him that they have

But do you have any reason to say that they aren't actually interested in preventing fraud?

Because they keep outsourcing the development of a mission-critical security system to the lowest bidder instead of the most qualified. They probably throw in laughable constraints, too, such as having to work on existing POS terminals.

If they were truly interested in preventing fraud instead of denying liability (while still getting to say in marketing that they protect you from fraud), they would contract the design of this system out to some real security experts - and, given the obvious quality of their design team in matters of security, they could post the job offer on slashdot to get some reasonable candidates - who would then use a public-private key encryption scheme where the POS terminal's public key would have to be signed by the credit card authority's private key, which could be verified by the chip by using the public key therein, and then the chip would use that public key to encrypt its own public key, which would be used by the POS terminal to encrypt the PIN that the user typed in, and send it back. And then, no matter whether the PIN is valid or not, the chip would send back some sort of data encrypted with the POS' public key again. That data would decrypt to something that was encrypted with the credit card company's public key, so that the POS terminal would then have to send it back to the credit card center (Visa, MC, Amex, whatever) to get it decrypted (along with its own public key so the credit card company could re-encrypt its response) to validate. The data sent back to the credit card company would include: the encrypted confirmation from the card (plus some random data that can get chopped off, e.g., some JSON-like data: '{verified:true,defeat-listeners:"adsh65ouhdsakljt"}' would be easy enough for the credit card company to get what it needs while discarding the rest while resulting in the packet changing every time), the amount of the transaction, the public key of the POS terminal, all encrypted again with the upstream public key. Upstream could decrypt, extract, and decrypt again. Oh yeah, and before the chip gets printed, its own public key would have to be signed by the credit card company, just to make it that tiny bit more difficult to forge.

For a laptop to sit in the middle and get anything out of such a system would be practically impossible. And, if done right, defeating it once won't mean easy-sailing after that. Maybe an electron-microscope on an exposed chip might help... but even then, I'm not sure it'd help enough.

And before real security experts jump on me, this is just something I thought up over the last ten minutes. If I were given a $50,000 consulting contract to design this, I'd spend far more than 10 minutes on it, and might find some of the kinks that are likely obvious to much more experienced people than I.

The problem is that the merchants have insurance and the number of fraudulent accesses is pretty small. So merchants are reluctant to spend $10,000 per terminal for a system as you describe.

They have been already forced to spend $1000-$2000 per terminal already for something that has $100 of components in it.

Sure, it could be done as you suggest. But a lot of these systems were designed to work over a 300 baud modem or with no external connection at all - just buffering stuff up until later. So now you would also require a real Internet connection from each terminal. Well, the costs just keep going up on the merchant.

The end result is that merchants just say they can't implement something like that in all locations. Or the box is too expensive and they aren't buying any of them. So instead of universal penetration it is 5 or 10 percent of the merchants.

The reason they went with a low-cost, easy-to-implement solution in the first place was to gain wide (if not universal) acceptance so these things could be at every POS location everywhere. No matter what system the merchant was using or at least minimal interface requirements. It is like credit card terminals in the US - there are still a large number of places where they put the sale information into one system and then re-key the sale into a credit card terminal because integrating is too expensive and the terminals are relatively cheap.

It's a cost-benefit analysis, and "pushing $x worth of liability onto someone else" works out to be not too much worse than "preventing $y worth of fraud", if $x = $y. Now if $x > $y, suddenly they're better off moving the liability than preventing the fraud. Similarly, if the first option costs more than the second, even if $x = $y, they're better off just moving liability.

This is why Britain has a historical problem of card fraud, and the US has a much better record. The US never let the banks push lia

It was designed to be shitty and insecure so fraud could continue.It was sold as being highly secure in order to get them into widespread use and to get the laws set up to remove all liability from the banks as long as the system says the card is good.

The banks profit off of fraud.

This is all intentional, and it has been going on in criminal circles with these cards before day one. The only difference now is that some group has publicly revealed the sordid details.

Agree that these "security systems" are about dodging liability rather than providing good security. Of course, another big benefit to the bank is that it makes it much harder to transfer money over small amounts, say $1000, if you can't go to the office physically or don't use their "verification card". Money that the banks won't give back easily.

VISA et al seem to be trying to break into the Canadian market, which is fundamentally dominated by Interac [interac.ca], another PIN-based debit system run by a coalition of banks. Almost every merchant in Canada (or at least Ontario) have Interac POS readers. It should also be noted that most Canadian bank cards aren't backed by VISA / MasterCard (like they are in the United States), they're simply debit cards, linked directly to bank accounts.

Visa and MasterCard debit cards in the United States are also basically directly linked to bank accounts. The logo basically just means your transaction will work as a fake "credit" transaction at Visa/MasterCard merchants who don't have debit support, or when you don't feel like entering your PIN. Or so I understand.

Yes, this is in effect in Canada too. I have a BMO Bank of Montreal MasterCard and BMO Bank of Montreal debit card, and both are chip and PIN enabled.
There's even a website with a bunch of information and FAQs on chip and PIN:
http://www4.bmo.com/chip/questions.html [bmo.com]
Full disclosure: I am a Bank of Montreal employee, but from my understanding, all major Canadian banks will be following suit if they haven't started already.

This has been known for years. The machines and man-in-the-middle attacks are obvious, simply because you cannot verify the authenticity of any machine that you stick your card into and type your PIN. You have no clue that any one of them is doing what you think it should be doing. ATM machines are bad enough, but at least there is some sort of trust over the fact they are at a fixed point and there is some form of physical security around them. With chip and pin machines all you have is utterly blind faith that you have no choice but to accept, and then you get blamed for being insecure by the banks when the inevitable happens.

What have we heard about this in the mainstream press and media? Nothing. People, and those with a vested interest, obviously just want to deny that it can happen.

You know what helps you sound informed and intelligent? Reading the article. You know what makes you sound, well, silly? Not reading the article. Here's a clue to spark your interest: it isn't the card readers that are performing the man in the middle, it is the person in possession of the card performing the attack against a standard card reader.

This doesn't seem like the average attack we see in the United States, where a false card reader and camera copy a victim's credit card stripe and PIN respectively. I'm by no means an expert in Chip and PIN, but Wikipedia indicates that the smart card chip is much more difficult to copy than the US's magnetic stripes:

Chip and pin is definitely better then card swipe, or card swipe and pin.

Card swipe and PIN appears to be better. While I can easily copy a card, there's no way I can manufacture a card which will work with any PIN.

The only problem is the banks are treating the increase in security as absolute security, and refusing to handle any fraud concerning a chip and pin transaction.

This is one of the areas where the US is actually ahead of the game. For credit cards, there's $50 liability maximum for the cardholder. For ATM/debit cards, it's also $50 if you notify them within 2 days, but $500 if you notify them within 60 days, of finding out about it. They can't just say "Impossible" and have you jailed for having the temerity to claim a charge was fraudulent (as has happened in the UK).

I have encountered credit card fraud quite a few times - maybe 7-10 times in the last 10 years or so. Everything from having a card stolen to the number being used fraudulently by someone online.

I have never experienced, nor has anyone I have ever encountered, any penalty at all. The $50 limit is an upper limit, apparently if the credit card issuer seems to think you are somehow complicit in the fraud. I've never had anything happen other than simply having the charges removed from the account. And gett

This combination of cardholders not being penalized and large merchants having insurance is why the current rampant fraud situation and stolen credit card number market is how it is. You can make hundreds of dollars by selling credit card numbers and other information, and plenty of folks do just that. It's extra money. You didn't really think the waitress was getting by on just tips, did you?

Penalizing the cardholder doesn't help at all. How can I, as a cardholder, prevent a crooked waitress from swiping

I see the importance of this not to be what kind of attack they used (other than being relatively simple), but the fact that they are proving these cards aren't as secure as they're claimed to be. It's the difference between knowing Capone did it and finally getting evidence that will stick.

This has been known for years. The machines and man-in-the-middle attacks are obvious, simply because you cannot verify the authenticity of any machine that you stick your card into and type your PIN. You have no clue that any one of them is doing what you think it should be doing. ATM machines are bad enough, but at least there is some sort of trust over the fact they are at a fixed point and there is some form of physical security around them. With chip and pin machines all you have is utterly blind faith that you have no choice but to accept, and then you get blamed for being insecure by the banks when the inevitable happens.

Please note that while this is a MIM attack, neither the ATM nor its communication links are compromised. The MIM part is in the _card_, that gives out an "This is a valid transaction PIN code" no matter what. So attach a fake card to some wires running up your sleeve into a laptop and FPGA in a back pack, and and you can draw money from the account to the maximum limit with a fake card and without entering a correct PIN code.

The sad thing is that the banks are in total denial about this, claiming that since no such attacks have been discovered, the problem doesn't exist.

You can not use a fake card. You need a genuine card. The MITM is between the genuine card and the terminal. The transaction goes through because "chip and PIN" isn't the only acceptable protocol. The card can also be used in combination with a signature instead of the PIN. The trick is to make the terminal think that the card is using PIN authentication while the card actually performs the (authenticated!) chip and signature protocol.

The bank usually gets the information that no PIN was sent to the card, but this information is not relayed back to the terminal in way which is both standardized and authenticated. The "PIN-OK" message from the card to the terminal is not authenticated and the authenticated transaction request/accept messages between the card and the bank (through the terminal) only contain the information in an unstandardized format. That's the flaw.

I read the article, to quote it:"Once the fake card was inserted, the Python script running on the laptop relayed the transaction, suppressed the verify PIN command issued by the terminal, and responded with the 0x9000 code."

You also need a genuine card, but the one you insert in the ATM is a fake as I wrote. Obtaining genuine ATM chip cards has never been a problem for criminals, but using them has. This flaw allows criminals to withdraw money from a gen

I'm just curious as the article summary and article don't mention (I guess the PDF might, but from the article's description, it isn't clear)...

Do they still need the card?

The article seems to describe the attack as a man-in-the-middle attack.. i.e. card -> their device -> the card reader/writer. So the card instigates all the important bits (which back account number, etc.), and then their device sends back an 'OK' to the card reader/writer, happily ignoring the PIN part.

But does that mean they do still need to have a card? Or could they easily make their own card with the details of whoever (let's say they grab the bank account # off of some business registry website), and then go ahead and perform transactions with it + their device?

Yes, they still need the card. The card performs a "chip and signature" protocol with the bank. In the "chip and signature" protocol as well as in the "chip and PIN" protocol, the chip on the card uses a secret symmetric key to create a transaction-specific message authentication code. The bank will not accept the transaction without that code. The attack is to have the card perform "chip and signature" while the terminal performs "chip and PIN". The protocol flaw is that the terminal cannot tell that the c

The article states that the banks dont accept liability for a transaction performed with PIN. This is true however the liability isn't pushed to the consumer, it is accepted by the card issuer instead (i.e. mastercard, visa etc.).

I also disagree with their assertion that chip and pin is fundamentally broken. EMV requires the card to generate a cryptogram at the end of the transaction. The card can simply refuse to generate this data if it hasn't received the correct PIN. I am a little suprised that the cards they tried don't do this already.

Some people here have suggested that the PIN be authenticated online. The EMV standard actually supports online authentication of PIN, its just that some banks choose to issue cards that use a PIN that is verified by the card instead because they don't have the systems in place to support online verification. Many banks

For all the people saying that the designers of the system dont know what they are doing i suggest they read the specifications (freely available on the emvco website). They are actually quite good and do support pretty much all of the improvements people here have suggested (and more). The problem is they need to be practical as well, something that most comments here don't consider. There is no point designing a foolproof system that no-one can use.

This hole can be removed and it most certainly will be if criminals start to exploit it.

The reason this works with credit cards is little or no checking is done at the place of purchase. It is expected that the customer will check there monthly statement and notify the bank / credit company of any issues.

"The researchers used off-the-shelf components (PDF), and a laptop running a Python script, to undermine the two-factor authentication process on European credit and debit cards, which is called Chip and PIN."

Oh some Americans already have a similar system. It's called Ball and Chain. Courtesy of this system there's little fraud because all transactions are wife approved.

The idea of forcing people to enter PINs into any machine controlled by a retailer was ridiculous from day one - the supposed extra security of Chip & Fraud was merely a way for the banks to transfer liability for fraud to the customer. (Happily the FSA has now forbidden them to do this unless they have actual genuine proof that the customer gave away their PIN - well done guys, springing into action after only 4 years of complaints).

One of the selling points of this system is that you DON'T need to let your card leave your sight, or even your hand, as before when magnetic strips were used that was good indication of having your card copied.

The terminal you put your card is is usually wireless or has a long cord so you can pick it up to better hide your pin when you enter it. This makes using a card with wires going up your sleeve quite easy to get away with and keeping hold of the card is not unusual behaviour that would arouse suspici

The Chip and PIN principle is a lot older in Europe than anywhere else in the world. Asia is far behind, however converting fast, and the US is down the drain. France has implemented a Chip'n'PIN system since the early 90s, and Belgium has been using its local equivalent (Bancontact) since the mid-90s. Because credit/debit cards are synonymous to Chip and PIN cards in Europe, EMV has become a synonym for a unified European payment system [wikipedia.org].

The US has massive plans to implement EMV. The main difference is that banks are quite opposed to it because the cost of overhauling their complete architecture for the sake of fraud is quite a difficult thing to sell -- we're not talking about a simple card update, every single Point of Sale will need a new terminal, every single individual will need his card replaced. How many credit cards are used in North America? 700 million if my memory serves me well, or more. At roughly $15 per card, when bought in high quantities, that's quite a lot of money. Each terminal costs roughly $150-$230, so that's not a small investment either.

Next to that, you need the network connectivity, and the servers to handle it. I remember discussing this with a colleague some time ago, and by eyeballing it quickly, we got a number of roughly $100 to $130 per customer. Obviously, the banks could always ask for more cash from the government to pay for it?